Restrict IMAP login, but allow Postfix SASL
Hi,
we have a very simple user-/passdb (like passwd) to authenticate virtual IMAP users. We also use this for Postfix authentication. Nothing special.
But, we need to exclude some of the users from IMAP login. This means, some users should be allowed to send mail via Postfix (submission) and therefore authenticate via SASL against dovecot successfully, but they should not be allowed to login to their IMAP mail box.
How could this be done?
Thanks! -lutzn
allow_nets with local,127.0.0.1/32 defined, should do the trick - this assumes you don’t have any webmail running on the same host, since that would still allow authentication.
https://doc.dovecot.org/configuration_manual/authentication/allow_nets/
I use allow_nets to “suspend” user logins, but allow LMTP to continue to function for example.
On 1 Jun 2022, at 13:40, lutz.niederer@gmx.netmailto:lutz.niederer@gmx.net wrote:
Hi,
we have a very simple user-/passdb (like passwd) to authenticate virtual IMAP users. We also use this for Postfix authentication. Nothing special.
But, we need to exclude some of the users from IMAP login. This means, some users should be allowed to send mail via Postfix (submission) and therefore authenticate via SASL against dovecot successfully, but they should not be allowed to login to their IMAP mail box.
How could this be done?
Thanks! -lutzn
On 6/1/22 19:57, Lucas Rolff wrote:
this assumes you don’t have any webmail running on the same host, since that would still allow authentication.
One could configure the webmail to connect to IMAP over some local address that isn't in 127.0.0.0/8, one that's on one of the network interfaces, or one can even add a special IP address for this purpose to the loopback interface
That’s indeed a good point, and very much possible!
From: dovecot dovecot-bounces@dovecot.org on behalf of Gedalya gedalya@gedalya.net Date: Wednesday, 1 June 2022 at 14:04 To: dovecot@dovecot.org dovecot@dovecot.org Subject: Re: Restrict IMAP login, but allow Postfix SASL On 6/1/22 19:57, Lucas Rolff wrote:
this assumes you don’t have any webmail running on the same host, since that would still allow authentication.
One could configure the webmail to connect to IMAP over some local address that isn't in 127.0.0.0/8, one that's on one of the network interfaces, or one can even add a special IP address for this purpose to the loopback interface
You really need to database your passwd auth
sasl supports pgsql / mysql
you can then alter the queries by selecting flags pending the access you want to allow
dovecot-pgsql.conf
password_query = SELECT username as user, password FROM email_users WHERE username = '%u' and password <> 'alias' and status = True and destination = '%u'
user_query = SELECT home, uid, gid FROM email_users WHERE username = '%u' and password <> 'alias' and status = True and destination = '%u'
#iterate_query = SELECT user, password FROM email_users WHERE username = '%u' and password <> 'alias' and status = True and destination = '%u'
iterate_query = SELECT "username" as user, domain FROM email_users WHERE status = True and alias_flag = False
postfix
smtpd.conf -> /usr/local/lib/sasl2/smtpd.conf
#Postygres pwcheck_method: auxprop mech_list: PLAIN LOGIN auxprop_plugin: sql sql_engine: pgsql sql_hostnames: pg.scom.ca:5433 sql_database: scom_billing sql_user: xxxx sql_passwd: xxxx sql_select: SELECT password FROM email_users WHERE username = '%u@%r' and password <> 'alias' and currentcount_bad < 30 and status = True
i use status to allow disabling the users ability to login but you can easily expand the select statement to include another flag for imap user(s)
Happy Wednesday !!! Thanks - paul
Paul Kudla
Scom.ca Internet Services http://www.scom.ca 004-1009 Byron Street South Whitby, Ontario - Canada L1N 4S3
Toronto 416.642.7266 Main 1.866.411.7266 Fax 1.888.892.7266 Email paul@scom.ca
On 6/1/2022 7:40 AM, dovecot-bounces@dovecot.org wrote:
Hi,
we have a very simple user-/passdb (like passwd) to authenticate virtual IMAP users. We also use this for Postfix authentication. Nothing special.
But, we need to exclude some of the users from IMAP login. This means, some users should be allowed to send mail via Postfix (submission) and therefore authenticate via SASL against dovecot successfully, but they should not be allowed to login to their IMAP mail box.
How could this be done?
Thanks! -lutzn
Dne 01. 06. 22 v 13:40 lutz.niederer@gmx.net napsal(a):
Hi,
we have a very simple user-/passdb (like passwd) to authenticate virtual IMAP users. We also use this for Postfix authentication. Nothing special.
But, we need to exclude some of the users from IMAP login. This means, some users should be allowed to send mail via Postfix (submission) and therefore authenticate via SASL against dovecot successfully, but they should not be allowed to login to their IMAP mail box.
How could this be done?
Thanks! -lutzn
Hi, would it be a valid option just not creating the mailbox for the "submission only" users? Technically they could login to imap, but they would not have the mailbox.
-- Best regards Vladislav Kurz
we have a very simple user-/passdb (like passwd) to authenticate virtual IMAP users. We also use this for Postfix authentication. Nothing special.
But, we need to exclude some of the users from IMAP login.
How could this be done?
There's a facility to add arbitrary code to the imap login process, e.g., in "10-master.conf":
service imap-postlogin { executable = script-login /local/bin/imap-wrapper user = $default_internal_user unix_listener imap-postlogin { } }
In our case, "/local/bin/imap-wrapper" is a Perl script that checks the user's login shell, and if it is one of our "blocked" shells, returns:
print "* NO [ALERT] Your account has expired, and access to it has been suspended. ".$msg_helpdesk_refer; exit 1;
otherwise it execs the command given in its arguments.
More info is at: https://doc.dovecot.org/admin_manual/post_login_scripting/
Anne.
Ms. Anne Bennett, Senior Sysadmin, ENCS, Concordia University, Montreal H3G 1M8 anne@encs.concordia.ca +1 514 848-2424 x2285
There's a facility to add arbitrary code to the imap login process, e.g., in "10-master.conf":
service imap-postlogin { executable = script-login /local/bin/imap-wrapper user = $default_internal_user unix_listener imap-postlogin { } }
Just wondering: is there some sort of pre-login scripting facility for validation, as well as this post-login mechanism? I couldn't find anything like this in the Dovecot docs, but perhaps I missed something.
I'd like to be able to have the IP address, the protocol, the user ID, and the password examined before even passing the request to the standard login mechanism, and I'd like to be able to reject the request even prior to login. And a nice-to-have would also be the ability to alter the request before it gets passed on to the login mechansim.
Am I out of luck?
-- hippoman@gmail.com Take a hippopotamus to lunch today.
On 01/06/2022 18:50 Hippo Man hippoman@gmail.com wrote:
There's a facility to add arbitrary code to the imap login process, e.g., in "10-master.conf":
service imap-postlogin { executable = script-login /local/bin/imap-wrapper user = $default_internal_user unix_listener imap-postlogin { } }
Just wondering: is there some sort of pre-login scripting facility for validation, as well as this post-login mechanism? I couldn't find anything like this in the Dovecot docs, but perhaps I missed something.
I'd like to be able to have the IP address, the protocol, the user ID, and the password examined before even passing the request to the standard login mechanism, and I'd like to be able to reject the request even prior to login. And a nice-to-have would also be the ability to alter the request before it gets passed on to the login mechansim.
Am I out of luck?
-- hippoman@gmail.com Take a hippopotamus to lunch today.
In authentication, you can use %{service} variable to expand into whatever service the user is trying to log into.
Dovecot also has auth policy server support, which allows you to do various prederminations prior actual authentication, see https://doc.dovecot.org/configuration_manual/authentication/auth_policy/
Akki
On 1. Jun 2022, at 14.40, lutz.niederer@gmx.net wrote:
Hi,
we have a very simple user-/passdb (like passwd) to authenticate virtual IMAP users. We also use this for Postfix authentication. Nothing special.
But, we need to exclude some of the users from IMAP login. This means, some users should be allowed to send mail via Postfix (submission) and therefore authenticate via SASL against dovecot successfully, but they should not be allowed to login to their IMAP mail box.
How could this be done?
I would just configure a deny passdb inside protocol imap {} block with a list of users denied imap access. something like this:
protocol imap { passdb { driver = passwd-file args = /etc/dovecot/imap-deny-passdb deny = yes } }
Sami
participants (9)
-
Aki Tuomi
-
Anne Bennett
-
Gedalya
-
Hippo Man
-
Lucas Rolff
-
lutz.niederer@gmx.net
-
Paul Kudla (SCOM.CA Internet Services Inc.)
-
Sami Ketola
-
Vladislav Kurz